Don’t bank on it, or the Case of the Deceitful Receipt

Here’s a weird thing. On Wednesday
afternoon, I withdrew some cash from an ATM at a branch of
the big bank my account was flipped to during the Great
Banking Shakedown of 2008. Earlier in the day, I had checked
my balance online, so when the ATM receipt printed, I was
shocked to see the new balance was half what I expected.

My first thought was that someone had hacked my account,
but then I looked more closely at the receipt and saw that
the last four digits of the card it was for weren’t the
last four digits of my card. I went into the branch and
showed the receipt and my card to an account manager. “Oh,
we’re aware of that,” she said. “We’ve told them
there’s a time lag in printing the receipts but they
haven’t fixed it yet. Which ATM was it?”

When I
described its location, she affirmed that was the errant
machine. Then she logged into my account to show me that, in
fact, the balance was exactly what I thought it was and that
there were no fraudulent transactions. She gave me back my
card, screwed up the receipt, and off I went.

Somewhat
dumbfounded.

Firstly, at the blasé attitude. Secondly,
that she didn’t apologize on behalf of the bank, and she
didn’t suggest putting a lock or a fraud watch on my
account, just to be on the safe side.

It wasn’t until
the next day, when I was recounting the incident to
workmates, that I realized I was also angry. Angry that the
bank knew of the problem and hadn’t done the obvious
immediately—taken the machine offline and put up an “out
of order” message.

Angry at the thought that somebody,
instead of me, might have been withdrawing what they thought
was their last 20 bucks, and upon seeing a bigger balance
than they expected surmised that their tax rebate had come
through, and trotted off to spend up large on their debit
card. Only to find their account dinged with overdraft
penalty fees, and no way of proving they had used the card
in good faith. Even if they had kept the receipt, what hope
would they think they had of proving they hadn’t just
picked the receipt up off the ground nearby?

Angry at the
privacy issues. Let’s say two people were going out for a
night on the town and lined up at the same ATM to make a
withdrawal. Say the second person got the receipt for the
first person’s transaction, and happened to know the last
four digits of their account—then they’d know how much
money their friend had in the bank.

OK, that’s a bit
far-fetched. It you’re so palsy-walsy that you know the
last four digits of your friend’s debit card, you probably
know their bank balance anyway.

But while I’m being
far-fetched, how about this: What if the reason they
didn’t take the errant machine offline was that it
wasn’t the only ATM in their banking network that was
doing weird things? What if their system had been
compromised to the point that an actual fraudulent
transaction had indeed taken place—not on my account but
on the account whose number appeared on the receipt?

The
bank couldn’t put all of their ATMs “out of order”
while they figured out the problem without bringing a large
part of US commercial life to a halt, so they just left it
to a case-by-case basis knowing that most people no longer
ask for a paper receipt, and those that do probably don’t
look at them too closely and rely on the bank to have gotten
it right.

As serendipity would have it, two days later the
news broke that millions of credit and debit cards might
have been compromised. Initial news reports said the hackers
had gained the information from parking buildings in New
York (since NY is full of tourists, that might neatly
explain how the fraud was happening all over the country).
Then, as this later Reuters news story tells it, the breach
had reportedly come about through a third-party card
transaction processing company.

On a local news show, the
station’s consumer reporter said that the breach concerned
only credit cards. Credit card account holders, he said, are
protected by a federal law that requires the c/c companies
to take any supposedly fraudulent transaction off the
account until it can be investigated and resolved. Debit
cards, he said, are governed only by the rules set for
themselves by the banks. It may be months, if at all, before
money fraudulently taken from your account is
reinstated.

But perhaps there is some good news for debit
card holders.

Since March 1, the Consumer Financial
Protection Bureau, has been taking complaints related to
checking accounts, including the use of ATMs and debit
cards. According to their press release at the
time:

“The Bureau expects banks to respond to complaints
within 15 days and seeks to close all complaints within 60
days. Consumers are given a tracking number after submitting
a complaint. They are then able to log in to the CFPB
website at any time and check the status of their case. Each
complaint will be processed individually and consumers will
have the option to dispute a bank’s resolution.”

Scoop Citizen Members and ScoopPro Organisations are the lifeblood of Scoop.

20 years of independent publishing is a milestone, but your support is essential to keep Scoop thriving. We are building on our offering with new In-depth Engaged Journalism platform - thedig.nz.
Find out more and join us:

ALSO:

In the circumstances, yesterday’s move by Lam to scrap – rather than merely suspend – the hated extradition law that first triggered the protests three months ago, seems like the least she can do. It may also be too little, too late. More>>

The DOC-led draft Biodiversity Strategy seeks a “shared vision.” But there are more values and views around wildlife than there are species. How can we hope to agree on the shape of Aotearoa’s future biota? More>>

We are in a moment of existential peril, with interconnected climate and biodiversity crises converging on a global scale to drive most life on Earth to the brink of extinction… These massive challenges can, however, be reframed as a once in a lifetime opportunity to fundamentally change how humanity relates to nature and to each other. Read on The Dig>>